Solved: How to write a search to find the count and group ...

Velugs · ‎12-09-2015

Dear All,

I am new to Splunk and got a request to create dashboard on Splunk. Criteria is to collect/group linkdown traps and need to have a count based on interface.

So example output needs to be like

Host --- Interface --- Count

Right now I am able to get Host --Count, but need to edit the search such that I get a count based on Interface and not host. Hope this is clear.

Kind Regards

renjith_nair · ‎12-09-2015

Try this :

<your search> |stats count,latest(Host) as Host by Interface

This can be modified to your final requirement

Happy Splunking!

View solution in original post

renjith_nair · ‎12-09-2015

Try this :

<your search> |stats count,latest(Host) as Host by Interface

This can be modified to your final requirement

Happy Splunking!

Velugs · ‎12-14-2015

Hey Thank you.. just want to update the forum .. I got it..

index=XXX sourcetype="YYY" "Server Interface Down" | rex "(?i) Interface Down on (?P[^ ]+)" | rex "on [^ ]+ - (?P[^\"]+)" | stats count,latest(Description) as Description by host,Interface | search count >=100 | sort - count

Velugs · ‎12-14-2015

Hi Thank you.. well using the below I get Interface--count--host any chance I modify the output such as I can see host--interface--count

Velugs · ‎12-10-2015

Thanks for your time

it worked but with the below command

index=XXX sourcetype="YYY" "Server Interface Down" | head 10000  | rex "(?i) Interface Down on (?P[^ ]+)" | stats count,latest(host) as host by INTERFACE

Thank you Renjith 🙂

renjith_nair · ‎12-10-2015

Just replace latest(host) by values(host) to display all hosts in case there are multiple values

Happy Splunking!

How to write a search to find the count and group linkdown traps based on interface?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life